Authentication and Authorization
Passwords
Passwords are stored in a hashed format using the PBKDF2 algorithm. This means that the password is never stored in plain text and is not reversible. When a user logs in, the password they provide is hashed and compared to the stored hash.
Customers can enforce password policies such as minimum length and complexity (see documentation). We do not support password expiration, as this can lead to users choosing weaker passwords (see NIST SP 800-63b). We limit the number of failed login attempts to prevent brute force attacks. iconik also has a list of well-known passwords that are not allowed to be used. This list is updated regularly.
MFA
iconik supports Multi-Factor Authentication (MFA) using TOTP (Time-based One-Time Password) and Mail 2SV (Two-Step Verification). Customers can enforce MFA for all users in their domain (see settings). Users who log in via SSO are not subject to MFA as it is expected that the SSO Identity Provider already has enforced MFA for the user.
SSO
iconik supports SSO (Single Sign-On) using SAML 2.0. Users who log in via SAML are authenticated by their Identity Provider (IdP) and do not have a password stored in iconik. When a user who doesn't exist in iconik logs in via SAML, a new user is created with the information provided by the IdP. Users who log in via SSO are not subject to MFA as it is expected that the SSO Identity Provider already has enforced MFA for the user. We do not support SCIM (System for Cross-domain Identity Management) at this time. (see settings)
Authorization
Authorization in iconik is controled via Roles and Access Control Lists (ACLs). Roles determine what a user can do in iconik, such as view assets, create collections, or manage users. ACLs determines what objects a user can access and what they can do with them. Using these two systems, customers can control what users can do in iconik and what they can access using a Priniciple of Least Privilege (PoLP) approach.